I set up a jenkins in my k8s cluster with helm chart , when checking out code, it says
hudson.plugins.git.GitException: Command "git fetch --no-tags --force --progress https://someghe.com/***/***.git +refs/heads/feat/***:refs/remotes/origin/feat/***" returned status code 128:
stdout:
stderr: fatal: unable to access 'https://github.xxx.com/xxx/xxx.git/': SSL certificate problem: self signed certificate in certificate chain
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2042)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1761)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$400(CliGitAPIImpl.java:72)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:442)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$2.execute(CliGitAPIImpl.java:655)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:153)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:146)
at hudson.remoting.UserRequest.perform(UserRequest.java:212)
at hudson.remoting.UserRequest.perform(UserRequest.java:54)
at hudson.remoting.Request$2.run(Request.java:369)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
at java.lang.Thread.run(Thread.java:748)
I tried to add certificates in both master and agent by using my own images .
COPY
certs into image and updated certificate with update-ca-certificate
But the error is still there, I tried to run the agent image using both docker run
and kubectl run
, they can both git clone successfully.
Then I tried to update git config using git config --global http.sslCAInfo /etc/ssl/certs/ca-certificates.crt
but still not working.
Master dockerfile
FROM jenkins/jenkins:lts
COPY some_ca.crt $JAVA_HOME/jre/lib/security
COPY some_ca.crt /usr/local/share/ca-certificates/CA.crt
USER root
RUN cd $JAVA_HOME/jre/lib/security \
&& keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias some_ca -file some_ca.crt && update-ca-certificates
ARG user=jenkins
USER ${user}
Agent dockerfile
FROM jenkins/jnlp-slave:3.27-1
COPY some_ca.crt $JAVA_HOME/jre/lib/security
COPY some_ca.crt /usr/local/share/ca-certificates/Douban_CA.crt
USER root
RUN cd $JAVA_HOME/jre/lib/security \
&& keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias some_ca -file some_ca.crt && update-ca-certificates && \
git config --global http.sslCAInfo /etc/ssl/certs/ca-certificates.crt && git config --global http.sslVerify false
ARG user=jenkins
USER ${user}